Arrested hacker in handcuffs showing law enforcement operation on cybercrime infrastructure

INTERPOL Law Enforcement Operation Synergia Shuts 70% of 1,300 Cybercrime Servers, Nabs 31 Suspects

An INTERPOL-led global law enforcement operation has taken action against 1,300 ransomware, phishing, and malware command-and-control (C2) servers and the arrest of dozens of suspects.

C2 servers allow threat actors to deliver additional malware payloads and commands to control infected devices and exfiltrate data.

Involving 60 law enforcement agencies from over 50 INTERPOL member countries, Operation Synergia ran from September to November 2023.

It included house searches and seizing servers and electronic devices. During the operation, law enforcement agencies arrested 31 individuals and identified an additional 70 suspects.

Law enforcement operation shuts down 70% of cybercrime infrastructure

The operation identified cybercrime infrastructure in over 50 countries hosted by over 200 Web hosting providers. According to Group-IB, the law enforcement operation shut down 70% of the command and control servers, while the remaining 30% are under investigation.

Most C2 servers operated in Europe, where 26 suspects were arrested, while in Asia-Pacific (APAC), Hong Kong and Singapore police seized 153 and 86 servers, respectively. In Bolivia, authorities identified various malware variants and associated vulnerabilities.

In the Middle East and Africa (MEA), 17 law enforcement authorities participated in the INTERPOL-led law enforcement operation.

Most C2 servers in Africa operated in South Sudan and Zimbabwe, where authorities slapped the cuffs on four miscreants. Kuwait also participated by working with “Internet Service Providers to identify victims, conduct field investigations, and offer technical guidance to mitigate impacts.”

Nevertheless, peer-to-peer infrastructure remains difficult to disrupt, allowing hackers to survive such a concerted law enforcement operation. Threat actors can also quickly set up backup servers to weather the impacts of a targeted law enforcement operation.

Coordinated response to professionalized cybercrime

INTERPOL said the coordinated law enforcement operation responded to the “growth escalation and professionalization of transnational cybercrime.”

The coordinated operation involved international and national law enforcement authorities and private sector organizations, including Group-IB, Kaspersky, TrendMicro, Shadowserve, and Team Cymru.

Group-IB provided crucial data, including 500 phishing IP addresses and 1,900 IP addresses associated with ransomware, Trojans, and banking malware.

Dmitry Volkov, CEO and co-founder of Group-IB highlighted the importance of collaboration and data sharing in fighting cybercrime.

“Operation Synergia has shown that the synergy of global law enforcement, national cyber police forces, and the private sector is paramount,” Volkov said. “Together, we forge a collective front, sharing cyber intelligence and best practices to fight cybercrime.”

Similarly, Team Cymru participated in the law enforcement operation by providing analysis and intelligence support.

“The results of this operation, achieved through the collective efforts of multiple countries and partners, show our unwavering commitment to safeguarding the digital space,” said Bernardo Pillot, Assistant Director to INTERPOL Cybercrime Directorate. “By dismantling the infrastructure behind phishing, banking malware, and ransomware attacks, we are one step closer to protecting our digital ecosystems and a safer, more secure online experience for all.”

Describing the operation as “another win for good people and society in general,” Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, said the operation was “yet another example of a law enforcement agency proactively taking down cybercriminal infrastructure and making the world a safer place.”

INTERPOL frequently cracking down on cybercrime and related offenses

Operation Synergia follows Operation Turquesa V in South America and Operation Storm Makers II in the Middle East, Africa, and Asia, targeting human trafficking rings linked to cyber scam centers.

Between November 27 and December 1, 2023, Operation Turquesa V nabbed 257 suspected immigrant smugglers and human traffickers, rescued 163 trafficking victims, and intercepted 12,000 irregular migrants.

Between Oct 16 and Oct 20, 2023, Operation Storm Makers II rescued 149 human trafficking victims and arrested 281 suspects on various charges, ranging from human trafficking to corruption and sexual exploitation.

The victims destined for cyber scam centers are usually lured through fake job offers, only to be held against their will and forced to commit cybercrime at an industrial scale while enduring extreme emotional, physical, and sexual assault.

Between July and December 2023, another law enforcement operation HAECHI-IV targeted financial criminals, arrested 3,500 suspects, and seized over $300 million across 34 countries.

“Now, in general, what happens is that these law enforcement takedowns are just temporary setbacks for the cybercriminals,” Grimes added. “Most of these professional crime gangs end up recreating needed resources and are back in business in a short period of time.”